from the gotta-trust-your-ISP dept

We've already written about some of the questionable activities by the lawyer hired by the Thomas Cooley law school in its lawsuit against some former students who have become anonymous critics. However, that same blog post from Paul Alan Levy also spent time discussing behavior on the part of Weebly, the service provider who coughed up the identifying information requested by Cooley's lawyer, despite first promising not to reveal the information at all, and later promising not to reveal if it received information on a motion to quash within a certain time frame. Even with all of that, when the second subpoena came in... Weebly handed over the info, well before the promised deadline it had provided the lawyer for the defendant.

Levy contacted Weebly's CEO, who gave a variety of reasons why they handed over this info, despite promising not to:

Weebly’s first point to me was that its email to Hermann saying that he could consider the subpoena “squashed at this point” really wasn’t intended to make any commitments — Hermann has been writing “over and over” about keeping his client’s identity private, and “I had no idea what he was talking about, so I said it’s ‘squashed for now’ just so he’d leave me alone.”

Weebly also said that after it got the California subpoena, it told Hermann that he would actually need to get a ruling from the judge quashing that subpoena no later than August 22, or it would have to obey the subpoena. I have two problems with that — first, even the subpoena did not require compliance until August 25, and the information was furnished on August 17. But more important, Weebly’s stance falls well short of the industry standard. In our experience, responsible ISP’s, such as Google, and Yahoo!, and Twitter, will simply insist to parties sending them subpoenas that they won’t comply with subpoenas to identify users if a motion to quash is filed within a given period, normally about two weeks.

Weebly also told me that the disclosure was made in part because Hermann gave shifting stories about whether the subpoena would be issued by a Michigan court or a California court. I found that argument unconvincing. Hermann was plainly uncertain about the actual subpoena documents, but I could not find the shifting accounts. And in any event, should discomfort with the Doe’s lawyer be a reason to shed the Doe’s privacy?

Next, Weebly said that its disclosures didn’t really matter because it did not provide the customer’s actual name, just an email address and various IP addresses. This is not the first ISP that has rationalized subpoena compliance on such grounds. I have got that line from Wikipedia twice, for example. But this case shows why the argument is delusional. The Doe was a former student at plaintiff law school, and the same email address that he gave Weebly was one that he has used while in law school. Thus, when plaintiff got the email address it was able to identify the Doe, and in fact it named the Doe in its amended complaint and cited his name throughout its opposition to the motion to quash.

Weebly’s final explanation to me struck me as the real reason, and it was perhaps the worst part of the explanation. Huffaker said, the subpoena came in on a day when I was out of the office, we have a small staff, we work long hours, we don’t have a lawyer on staff, we don’t get many subpoenas, and we strongly resist requests to remove material at the request of the targets of its customers’ criticism. All of this is understandable, and much of it praiseworthy, but to my mind, protecting customers’ privacy is also important, and if an ISP doesn’t have a lawyer, it has a responsibility to inform itself of the law governing subpoenas to identify customers and of the industry standard on responding to subpoenas. Moreover, although legal representation can be expensive, Public Citizen often represents smaller ISP’s pro bono in opposing subpoenas when the plaintiff does not meet the Dendrite test. Indeed, California has made it easy to fund the defense against subpoenas in these cases by passing a SLAPP-like law providing for awards of attorney fees; and Hermann made a point of suggesting that angle. Weebly says that it cares about protecting its customers, but it is hard to take those protestations seriously. Potential customers of Weebly, beware.

This may seem harsh on a small service provider like Weebly, and it's recognizable that it's tough for service providers to keep up on every law that they have to deal with, but if you're in the business of providing websites, it's important to know some basic laws concerning free speech and privacy.

And Weebly isn't just some mom-and-pop ISP as you might get from Levy's writeup. The company is funded by Sequoia Capital, considered one of the top 5 (if not the top) venture capital firms out there, went through the famous YCombinator program, and has other famous investors including Ron Conway, Mike Maples, Aydein Senkut and Paul Buchheit. In other words, this is a company that has both the resources and the connections to get the proper legal help when it receives a subpoena (questionable or legit), and never should have revealed this info -- especially after promising not to.

That said, companies do make mistakes. One would hope that Weebly's response in this case will be to apologize for handing over the info without properly allowing the court to consider the motion to quash, and will (1) make its policies much clearer and (2) make sure that its entire staff is familiar with how to deal with such subpoenas in the future. Hopefully this is a lesson for the company.